Security Research Center Policy

In today’s world we have become more and more connected to Internet services, software, and hardware devices.

We share our information with our banks, medical institutions, and employers. We share our information with smartphones, smart TVs, smart watches, and other “smart things” in our homes, which usually retain our information in the remote databases outside our control.
These technologies are deeply integrated into our lives and, in many cases, we have become dependent on them, making us vulnerable when the technology fails or our information is not properly protected.

Our research

We conduct security research to locate any data exposures in the databases of various companies, organisations, and institutions.

Typically we use the Shodan search engine to locate unprotected Internet-connected devices. This search engine is publicly accessible, and allows researchers to identify devices and databases that are connected to the open Internet without any password protection or other technological barriers to safeguard the data stored in them. We do not crack passwords or authentication processes or use any other hacking tricks.

Once we discover a publicly exposed database, we report our findings according to the following guidelines:

When appropriate, we provide details of the data exposure to the company, organisation, or institution that failed to protect itself.

We do not modify the data we found.

We allow entities time to remedy the data exposure prior to making any details available publicly that would otherwise cause further risk.

We do not transfer any data to any third parties.

Why do we do this?

Here, in the Security Research Center, we do our best to:

Help businesses build better security by identifying data leaks, and

Raise public awareness to the dangers related to data breaches and security risks in the connected world.

Popular articles

French Online Store Still Leaks 13M Customer Data

The MacKeeper Security Research Center has discovered that a French online store was found to be leaking the data of nearly 13 million customers. The massive amount of data was improperly stored in a misconfigured database and publically available online. Nearly all of the records stored and collected appear to be French citizens and the data includes including names, emails, DOBs, delivery addresses, phones and billing information.

The MacKeeper Security Research Center has reached out to store to secure the data, but no answer has been received yet and database is still leaking data.

No hack or password was required to access the customer data.

The French Data Protection Act (DPA) applies to any person that is in charge of collecting, processing or storing personal data and it appears that store may be in violation by not securing their customers’ data. According to the DPA there is also a civil liability for collecting sensitive information and data subjects have a right to compensation if they suffer damage. The French Data Protection Act has a very broad conception of personal data. For example, a telephone number is considered to be personal data. In this recent find there is much more identifying data that would qualify as personal under the law.

Below is an example of how the records look. More than 13 million records stored as "Cookies" and include the following info (redacted):

"email" : "XXX@live.fr",

"firstname" : "XXXXX ",

"lastname" : "XXX",

"website_id" : 1,

"store_id" : 1,

"group_id" : 1,

"prefix" : "Mlle",

"suffix" : null,

"dob" : "1996/09/02",

"gender" : null,

"middlename" : null,

"taxvat" : "20",

"created_at" : "2015/11/17",

"last_login" : "2015/11/17",

"newsletter" : true,

"how_have_known" : null,

"accept_partners_offers" : false,

"magentoId" : XXXXX,

"postalcode" : "XXXX",

"status" : "client"

Among other leaking data are information on payment, purchase history and orders information.

"billing_address" : {

"parent_id" : "XXXXX",

"address_type" : "billing",

"firstname" : "XXXX",

"lastname" : "XXXX",

"street" : "112 av de XXXX",

"city" : "Marseille",

"postcode" : "XXXX",

"country_id" : "FR",

"telephone" : "XXXXXXXXXX",

"address_id" : "XXXXX"

},

As we continue to see the number of data leaks and breaches increase daily, it is another wake up call for any company or business that collects any data on their customers. Another important aspect is understanding the legal requirements for data storage and collection methods. Many small business owners overlook the importance of data security and just create their store and focus on selling products, but they are often legally required to secure the customer information they collect.

The MacKeeper Security Research Center recommends that any company collecting data test their database and make sure that they are using the best practices and they have taken every possible step to secure their data. A simple security audit can save you future legal problems or the damage to your customers and business reputation.

***

Attention - if you are a media representative or you think you can be helpful in closing this data breach, please drop us a line to security@kromtech.com

***

Attention - Portions of this article may be used for publication if properly referenced and credit is given to MacKeeper Security Research Center.